Until a few years ago Internet security wasn't even recognized as a need.
The culture of the Internet encouraged the sharing of data and ideas; the
common goals of Internet users made boundaries and restrictions
unnecessary--or so it seemed to many at the time.
Originally, the people on the Internet were the people who built the
Internet, but as time passed and the Internet became more useful and more
reliable, they were joined by other people at their companies and
universities--and then by other companies and universities. With fewer
common goals and more people, the Internet became a much more dangerous
place. Although various sorts of mischief were quite common, these incidents
got little publicity, and most people who thought of computer security
problems at all assumed that such problems involved teenagers breaking into
banks with modems.
The Internet Worm changed all that. In November of 1988 the Internet linked
about 60,000 computers, and a good many of them found themselves under
attack. Even those not affected by the Worm still had to be checked and
rechecked to be sure they were safe from infection. Estimates of the total
price tag for the incident are in the hundreds of millions of dollars.
The Worm was the first Internet security incident to hit the nightly news.
People who had been working in obscurity suddenly found TV camera crews in
their machine rooms. The issue was no longer whether you needed to secure
your computer systems--it was how you were going to secure them.
In the years since the Worm, there has been an explosion in Internet
usage--and a corresponding explosion in new types of Internet attacks.
Consider a few recent reports from the front:
* Over the years, computational physicist and computer security
researcher Tsutomu Shimomura of the San Diego Supercomputer Center has
accumulated an invaluable archive of security tools and documentation
of system security holes. On Christmas Day 1994 an intruder copied the
files from his archive. Two days later Shimomura received a voice mail
message, bragging about the intrusion and threatening his life.
Shimomura reacted aggressively by setting up stealth monitoring posts
and tracking the intruder's further break-ins at telephone company
switching centers, companies like Apple and Motorola, the Well, and
Netcom (from which the intruder copied 20,000 credit card account
numbers). Shimomura concluded that the intruder was computer criminal
Kevin Mitnick, who had been sought for years by law enforcement. After
an intensive hunt conducted with the cooperation of the FBI and local
telephone companies, Mitnick was tracked down in Raleigh, North
Carolina.
* In the fall of 1994 two writers, Josh Quittner and Michelle Slatalla,
were the target of an "electronic mail bomb", apparently in retaliation
for an article on the cracker community they'd published in Wired
magazine. Someone broke into IBM, Sprint, and the writers' network
provider and modified programs so their email and telephone service was
disrupted. A flood of email messages so overwhelmed their network
service that other messages couldn't get through; eventually their
Internet connection was shut down entirely. Their phone service also
fell victim to the intruders, who reprogrammed things so that callers
were routed to an out-of-state number where they heard an obscene
recording.
* More and more sites are falling victim to password sniffers. The CERT
(Computer Emergency Response Team) reports that as many as 100,000
sites were targeted by password sniffers in 1994. (We'll explain what
sniffers do later in this article.)
Insidious attacks like these have made computer security one of the most
pressing problems facing Internet users in this decade. O'Reilly &
Associates' line of computer security books looks closely at the risks of
using the Internet and the measures you can take to reduce these risks.
Internet Risks
What kinds of security risks do you take on the Internet? Here's a sampling:
Password Attacks
Some years ago, before the Worm raised our consciousness about security
risks, it was almost laughably easy for intruders to break into almost any
system. Many sites didn't use passwords at all, or offered guest or admin
passwords that users could share. Users who did have their own passwords
routinely chose passwords that could be easily guessed (the names of their
children or pets, their birth dates, their license plates). Because nobody
bothered to encrypt files, an intruder who broke into the system could then
invade almost anybody's files, take a copy of the /etc/passwd file, and
later run it through a password cracking program that quickly revealed the
passwords of other users in the system. Once deciphered, these purloined
passwords became bartering chips among underground groups that shared
technical information about product vulnerabilities and site-specific
security holes.
Most systems and users have tightened up their security in the wake of the
Internet Worm. Guest and admin passwords have become rarer, but password
security as a whole is still laughable in most places. Group accounts
abound, and invariably at least 10 percent of the passwords users select are
poor (the only way to make them better is to install a password program that
forces good passwords). Readily available password dictionaries, cracking
programs, and password sniffing combine to make passwords very vulnerable.
How can you avoid password attacks? Educate the users on your system so they
pick better passwords. Consider using system-generated passwords or, better
still, stronger types of authentication, such as one-time (nonreusable)
passwords.
Password Sniffing Attacks
The recent wave of password sniffing attacks on the Internet makes the
strength of your passwords almost irrelevant.
How does password sniffing work? In many network setups, it is possible for
any machine on a given network to hear the traffic for every machine on that
network. This is true for most Ethernet-based networks, and Ethernet is by
far the most common local area networking technology in use today. This
characteristic of Ethernet is especially dangerous because most of the
protocols in use today are unencrypted. As a result, the data sent and
received is there for anybody to snoop on. This data includes files accessed
via network file systems, passwords sent to remote systems during Telnet,
FTP, and rlogin sessions, electronic mail sent and received, and so on.
A password sniffer is a program that takes advantage of this characteristic
to monitor all of the IP (Internet Protocol) traffic on its part of the
network. By capturing the first 128 bytes of every FTP or Telnet session,
for example, password sniffers can easily pick up your user name and
password as you type them. Password sniffers may use programs provided for
network debugging as building blocks, or may be written to use the services
directly. Special-purpose password sniffing toolkits are widely available to
attackers.
The danger of password sniffing attacks is in their rapid spread. Favorite
targets for sniffers are network providers and public access systems where
the volume of Telnet and FTP connections is huge. One sniffer on large
public access systems can collect thousands of sniffed account names and
passwords, and then compromise every system accessed. Even if your systems
are as secure as possible and your user passwords are not guessable, you can
be infected by a packet sniffer running at any site that your users can log
in from, or at any site their packets will cross to get to you.
Password sniffing can happen anywhere. Many people make the mistake of
assuming that because they're using a well-known, commercial service, there
is no danger in remotely accessing their own machines across the network. In
fact, the commercial services are prime targets, and most of them are
periodically compromised. In any case, a connection may cross a large number
of intermediate networks, which each represent unknown risks. How can you
avoid being sniffed? In general, you can't and still provide remote network
access. If your password ever passes across a network which might be
insecure--electronically or physically--it is likely to be captured. What
you can do is ensure that an intruder who gets your password can't use it.
One-time (nonreusable) passwords are probably the most effective way. Using
a freely available program like Bellcore's S/Key may not keep your passwords
from being viewed, but because these passwords are used only once, it
doesn't really matter if they are seen.
NFS and Other Data Service Attacks
A number of services exist to allow computers to share information with each
other and to allow users to move easily from computer to computer. These
services are an important part of the power of UNIX networks. Unfortunately,
they are often exploited by attackers, who convince these services to share
more information than intended or to share it with unintended recipients.
Often this occurs because designers were concerned with local area network
access and did not realize that services might also be available across wide
area networks to other organizations.
The Network File System (NFS) and Network Information Service (NIS) are
notoriously easy ways to attack a system. NFS allows systems to share files
over a network by letting a client mount a disk on a remote server machine.
NIS maintains a distributed database of password tables, group files, host
tables, and other information that systems on a network can share. Many
sites choose not to support NIS at all, and some avoid even NFS. However,
these services are not a problem if they are run in a protected environment
(for example, behind a fire wall).
If you haven't properly protected your site, an attacker may be able to
simply NFS-mount your filesystems. The way NFS works, client machines are
allowed to read and change files stored on the server without having to log
into the server or enter a password.
Because NFS doesn't log transactions, you might not even know that someone
has full access to your files.
NIS is most often used to distribute password information, and most
implementations of NIS provide absolutely no control over which machines can
request information. As long as an attacker can guess the name of your NIS
domain and can send an NIS request to your NIS server, that attacker can get
a full copy of your password information (including encrypted passwords),
even if you are running shadow passwords and the passwords are not in the
/etc/passwd file. The attacker is then free to crack your passwords at
leisure.
NFS, NIS, and other services have additional security vulnerabilities, both
obvious and not so obvious. For example, NFS has very weak client
authentication, and an attacker may be able to convince the NFS server that
a request is coming from a client that is permitted in the exports file (the
file that lets you specify which file systems can be mounted via NFS, and
which other machines can mount them). There are also situations in which an
attacker can hijack an existing NFS mount. (See the discussion of hijacking
attacks later in this article.)
Denial of Service Attacks
There are two classic types of denial of service attacks, both particularly
devastating when used on a network. Earlier in this article, we described an
"electronic mail bomb" that shut down service by flooding an email mailbox.
That's one type of denial of service--the same type performed by the
Internet Worm. What happens here is that an intruder so floods a system or
network--with messages, processes, or network requests--that no work can be
done. The system or network spends all its time responding to messages and
requests, and canUt actually satisfy any of them.
In the other category of attack, equipment or services are completely shut
down or disabled. With ICMP attacks, which are becoming more common on the
Internet, an attacker sends an ICMP message to a host or router, telling it
to stop sending packets to all or part of the network.
How can you prevent denial of service attacks? The best defense against an
ICMP attack is to install a firewall that ignores or filters ICMP messages.
In general, though, denial of service attackers are tough to
prevent--electronically, as well as in real life. If you accept things from
the external world--electronic mail, telephone calls, or packages--it's
possible to get flooded. The famous college prank of ordering a pizza or two
from every pizzeria in town to be delivered to your least favorite person is
a form of denial of service. (It's hard to do much while arguing with 42
pizza deliverers.) In the electronic world, denial of service is as likely
to happen by accident as on purpose. (Have you ever had a persistent fax
machine try to fax something to your voice line?) The most important thing
is to set up services so that if one of them is flooded, the rest of your
site keeps functioning while you fix the problem.
Fortunately, denial of service attacks are not terribly popular. They're
easy enough to be unsporting; they tend to be simple to trace back--and
therefore risky to the attacker; and they don--t provide the attacker with
the information or the ability to use your computers that is the payoff for
most other attacks. Intentional denial of service attacks are the work of
people who are angry at your site in particular--and at most sites, there
are very few such people.
IP Attacks
Attackers sometimes take advantage of a little-used option--the source
routing option--in the IP header of packets being sent across the Internet.
Even systems protected by firewalls have fallen victim to these types of
attacks.
Certain kinds of firewalls work by keeping packets from being routed from an
outside system into your internal network. In normal packet routing, packets
are routed in the most efficient way from source to destination. However, if
the source routing option is specified for a packet, it shows the particular
route that the packet is to follow. Unfortunately, turning off the regular
routing of packets from the Internet to an inside network doesn't turn off
the routing of source-routed packets on BSD systems. At tackers have
exploited this peculiarity and used it to penetrate systems that are
expecting their firewalls to keep all such outside packets out.
Another attack, which surfaced for the first time in early 1995, involves
attackers creating packets with false IP addresses. By exploiting
applications that use authentication based on IP addresses (such as the
so-called Berkeley RrS commands, which include rlogin, rsh, and rcp),
intruders have been able to gain access. Most of the attacks take advantage
of the ability of intruders to guess sequence numbers associated with
network connections and the acknowledgments passed between machines. These
attacks are technically tricky, because the intruder doesn't receive the
responses to the packets it sends; when they succeed, however, the payoff
for these attacks can be high. (The attack on Shimomura described earlier
was this type.)
How can you prevent these attacks? Firewalls are the only sufficient
defense. You want to look for packets on your external interface (that is,
packets coming from outside your internal network) that claim to have
internal source IP addresses and for packets that have source routes
specified. You can do this by installing an appropriately configured packet
filtering router. It's also best to avoid address-based authentication
completely, if you can.
Hijacking Attacks
Another emerging Internet threat involves the hijacking of any open terminal
or login session from users on the system. Once intruders have root access
on a system, they use a tool that lets them dynamically modify the UNIX
kernel. This allows them to take over terminal connections after any
authentication procedures have been completed. Even the strongest
authentication (e.g., one-time passwords) are irrelevant because the attack
occurs after the user successfully logs in. (This is another way that your
systems can be compromised from any system that your users can log in from.)
This sort of attack has always been possible, but is easier to do and harder
to detect with the new tools. Various forms of hijacking--from the
completely unsubtle method of waiting for someone to get up for a cup of
coffee without locking their screen, to the devious exploitation of window
systems--have long been the most popular attacks at universities and other
places where people may legitimately have access and yet simultaneously be
hackers. In the past, these attacks have mostly been aimed at users at the
site where the attacks were taking place. The new attacks are aimed at
getting from a compromised system to an otherwise uncompromisable system
across the Internet.
How can you prevent this attack? Once intruders have root access, you can't.
So keep them out to begin with.
Security Solutions
Getting discouraged about connecting to the Internet or doing any real work
on it? Don't be. There are ways to protect your system against the threats
we've described.
There isn't a magic Internet security bullet. The best security solution
isn't a simple solution, but a collection of strategies and techniques. Your
own site's security philosophy, the characteristics of your users, the type
of data you're protecting, and your budget all help determine the right
approach for you. Here are some suggestions.
Enforce Good Host Security
With host security, you enforce the security of every machine at your site
separately, and you make every effort to learn about, and plug, any security
holes that your particular operating system presents. Although host security
isn't a complete solution to Internet risks--there are simply too many
machines, vendors, and operating systems to be sure that you've successfully
been able to secure them all--you need to make sure that every system on
your local network is as secure as you can make it. Systems exposed directly
to Internet traffic need especially strong host security.
In Practical UNIX Security, Simson Garfinkel and Gene Spafford offer
hundreds of specific suggestions for host security and also discuss a wide
range of network security problems and solutions. This book has become the
classic security reference for UNIX users and system administrators.
Encryption of Files and Email
If you use good encryption, then even if an intruder gets access to your
files and messages, he won't be able to make sense of them. There are many
types of encryption programs. Make sure to use one that uses a strong
cryptographic algorithm. Although it's been around a long time, the Data
Encryption Standard (DES) is still a pretty sound private key encryption
algorithm, particularly if you use a variant, like Triple-DES. IDEA, RC2,
and RC4 are other good private key algorithms. The RSA algorithm is the
premier public key algorithm. It's a part of Lotus Notes, Novell NetWare,
and hundreds of other products. Diffie-Hellman and Merkle-Hellman are other
good public key algorithms.
PGP is a program that implements the RSA algorithm and is freely available
on the Net (for noncommercial use within the United States). In PGP: Pretty
Good Privacy, Simson Garfinkel describes how to use PGP to encrypt files and
email and how to "sign" your email with an unforgettable digital signature,
proving to recipients that your messages were sent by you and weren't
modified during transmission. The book also contains a fascinating,
behind-the-scenes look at the development of Phil Zimmermann's controversial
program and the issues surrounding privacy, the export of encryption
programs, and cryptography patents.
Use Firewalls
A firewall restricts access from your internal network to the Internet--and
vice versa. A firewall may also be used to separate two or more parts of
your local network (for example, protecting finance from R&D).
The dictionary definition of "firewall" is: "A fireproof wall used as a
barrier to prevent the spread of a fire." A fire may damage, or even
destroy, one section of a building, but a firewall may keep that fire from
spreading to other sections of the building; at the very least, it may slow
down the spread until the fire can be brought under control.
On computer networks, firewalls serve an analogous purpose. A security
problem somewhere on a network--for example, eavesdropping, a major
break-in, or a worm program--may do a great deal of damage to one portion of
the network. But if a fire wall is in place, it can isolate what's behind it
from the security problem. Without firewalls network security problems can
rage out of control, dragging more and more systems down. Once one system on
a network has been compromised, it's often trivial to compromise the others.
Shared system resources, homogeneous services, and trust policies may all
contribute to the spread of a security problem from one system to another.
Think of a firewall as a checkpoint; all traffic is stopped and checked at
this point--usually, at the perimeter of your internal network, where you
connect to the Internet (see the figure above). Your own site's security
policy determines what happens at the checkpoint. Some requests (e.g.,
requests for email service) might pass right through. Others (e.g., requests
for potentially dangerous service like NFS or NIS) might be turned away.
Still others (e.g., requests for FTP file transfers) might be routed to
proxy services, which satisfy the requests without directly exposing
internal systems.
If your site is connected to the Internet, you may want to check out our
forthcoming book, Internet Security Firewalls, by D. Brent Chapman and
Elizabeth D. Zwicky. It contains the details of various firewall approaches
and architectures, how you can build packet filtering and proxying solutions
at your site, and how to configure Internet services to work with a
firewall.
Use Secure Procedures
Purely technical solutions go only so far. Just as there is a human element
to committing computer crimes, there is a human element to preventing them.
Be smart about prevention, and make sure your organization enforces good
security procedures in everything they do. Physical security (e.g., using
access cards for entry, protecting network cabling, etc.), personnel
security (e.g., removing the accounts of people who leave your
organization), and operational security (e.g., varying the schedules for
changing passwords, checking log files, etc.) are less technical, but
nevertheless important, parts of Internet security.
Two books provide valuable information on understanding and establishing
security at your site.
Computer Security Basics, by Deborah Russell and G. T. Gangemi, is the first
book to read if you want to learn what computer security is all about. It
contains the basics of access control, encryption, trusted systems, and
physical security, as well as a history of computer security developments,
U.S. Government security programs (such as the "Orange Book"), and a
complete glossary and resource summary.
Computer Crime: A Crimefighter s Handbook, by David Icove, Karl Seger, and
William VonStorch, is aimed particularly at those who need to investigate
computer crimes--law enforcement, managers, and others. It describes
targets, criminals, methods, and security measures you can take to prevent
them. It also details the way to detect, investigate, and prosecute computer
crimes, and it includes the complete text of all computer crime laws, both
federal and state.
president of SAGE (the System Administrator's Guild). She has been
involuntarily involved in Internet security since before the Worm.
----------------------------------------------------------------------------
Comments are appreciated to: Markus Hčbner.
Back to the Security-Page